Certificates per cluster or certificate per service provider?

6/24/2019

We have service provider that takes a request and creates cluster of elastic search.

What is the best practice to issue ssl certificate ? 1. Should we issue certificate per cluster ? 2. or One cluster for my service provider should be enough which will be used to access clusters ?

I am assuming issuing new certificate while creating cluster is better.

Please provide me the input.

Also, inside the cluster, do I really need to enable ssl so that pods talk to each other passing certificate ?

-- Tuhin Subhra Mandal
kubernetes
ssl
ssl-certificate

1 Answer

7/1/2019

Yes, you should definitely use TLS to encrypt network traffic to, from, and within your Elasticsearch clusters run on shared and managed K8S version (GKE).

Additionally I would opt for a maximum separation of customer spaces with:

I'm not sure if you are aware of existence of 'Elastic Cloud on Kubernetes' (ECK) - it applies Kubernetes Operator pattern for running and operating Elasticsearch clusters on your own K8S cluster in GCP. Treat it also like a collection of a best practices for running Elasticsearch cluster in most secure way, here is a quick start tutorial.

-- Nepomucen
Source: StackOverflow